Wireshark-dev: Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP
From: "Fernandez, Rafael" <[email protected]>
Date: Thu, 5 May 2011 12:39:30 -0500
OK. This function returns exactly the same as yours. The rest of the code in there for debugging purposes. I appreciate you trying to help me but you are focusing in wireshark coding standards and lines that do not have anything to do with the issue I am experiencing. The issue is the following:

In epan/dissectors/packet-tcp.c-tcp_dissect_pdus():
line 1993: get_pdu_len returns 322. Sets plen to 322.
line 2053-2061: length_remaining is 144. Thus (length_remaining < plen) is true. Sets pinfo->desegment_offset and pinfo->desegment_len. tcp_dissect_pdus returns.

In my_dissector.c:
1. Once tcp_dissect_pdus returns, dissect_message returns.
2. dissect_message gets called soon after and calls tcp_dissect_pdus again.

In packet-tcp.c-tcp_dissect_pdus:
Line 1993: get_pdu_len gets called again. It read 4 bytes starting from the 178th (322-144) byte of the application message. Thus, it returns a garbage size.

Don't you think there is an issue with this?

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Chris Maynard
Sent: Thursday, May 05, 2011 11:27 AM
To: [email protected]
Subject: Re: [Wireshark-dev] TCP dissect issue when app-level message spans multiple TCP packets

Fernandez, Rafael <[email protected]> writes:

> This is my current get_message_tcpmessage_len:
> guint get_message_tcpmessage_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
> {
>         guint remaining  = tvb_length_remaining(tvb, offset);
>         guint last_size = tvb_get_letohl(tvb, offset)+MESSAGE_HEADER_SIZE;
>         if(last_size > remaining)
>         {
>                 printf("not enough data: %d remaining: %d\n", last_size,
>         }
>         return last_size;
> }

This is still wrong.  You shouldn't be trying to figure out if you've got enough
data; tcp_dissect_pdus() will handle all that for you.  This function only needs
to return the length of the entire PDU so tcp_dissect_pdus() knows how much data
it needs to reassemble before calling your dissector.  Try changing the function
to something like what I posted earlier.

You might also re-read section 2.7.1 of doc/README.developer, as it could help
you in the case of UDP.  And take a look at other examples in the Wireshark
codebase, such as packet-dns.c which doc/README.developer references in its

And stop using printf().  If you need to, try using g_warning() instead.

Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe


The contents of this message and any attachments may be confidential and proprietary and also may be covered by the Electronic Communications Privacy Act. This message is not intended to be used by, and should not be relied upon in any way, by any third party.  If you are not an intended recipient, please inform the sender of the transmission error and delete this message immediately without reading, disseminating, distributing or copying the contents. Citadel makes no assurances that this e-mail and any attachments are free of viruses and other harmful code.